Doorkeeper: invalid_grant when requesting refresh token

Created on 3 Aug 2020  路  5Comments  路  Source: doorkeeper-gem/doorkeeper

Steps to reproduce

I have this as my initializer

Doorkeeper.configure do
  orm :active_record

  api_only

  # Issue access tokens with refresh token

  grant_flows ['assertion', 'refresh_token']

  use_refresh_token

  access_token_expires_in 30.seconds

  resource_owner_from_assertion do
    provider = params[:provider]

    if provider == "facebook"
      facebook_auth = ExternalAuthorization::Facebook.new(params[:assertion])
      facebook_auth.authorize
    end
  end
end

But when I issue a request via postman to get a new a refresh token, using

grant_type: "refresh_token"
refresh_token: "...."

I get back

{
    "error": "invalid_grant",
    "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

I looked at two other issues posted here:

https://github.com/doorkeeper-gem/doorkeeper/issues/887
https://github.com/doorkeeper-gem/doorkeeper/issues/739

But no clear solution arose from that.

Ruby version: 2.6.6

Most helpful comment

I think I found the solution! I had to pass client id and client secret along with the refresh_token and grant_type as parameters.

All 5 comments

Hi!
First of all you don't need to add refresh_token to grant flows if you enabled it using user_refresh_token

https://github.com/doorkeeper-gem/doorkeeper/blob/a94b280c145f3c6cacccb064f3945bd868019306/lib/doorkeeper/config.rb#L598

But when I issue a request via postman to get a new a refresh token, using

Could you please provide a request you're using? Curl would be great (with headers, params, etc)

You can also take a look at the refresh token spec in the gem: https://github.com/doorkeeper-gem/doorkeeper/blob/ecad35f16da90386cf2a9961b9a9bfa5e775b5c9/spec/requests/flows/refresh_token_spec.rb

Got it! I actually tried without the grant_type added but I got the same problem.

My request is as follows:

curl --location --request POST 'http://localhost:3000/oauth2/token?grant_type=refresh_token&refresh_token=0YgTdxidrt-oMRFdtuSXh9L0_5MHhircSWhRDT2GW1c' \
--header 'Accept: application/json'

I think I found the solution! I had to pass client id and client secret along with the refresh_token and grant_type as parameters.

Hm, it's strange that you see invalid_grant instead of invalid_client when client credentials missing :thinking:
Need to check validations for that grant flow

That would have made it a bit easier to debug haha but I got there though! Thanks for the help!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rasheedhamdawi picture rasheedhamdawi  路  4Comments

iangreenleaf picture iangreenleaf  路  4Comments

amngibson picture amngibson  路  5Comments

edwinv picture edwinv  路  6Comments

yongwoon picture yongwoon  路  3Comments